A dangerous Apache Flink flaw has resurfaced, and is being actively exploited

Red padlock open on electric circuits network dark red background
(Image credit: Shutterstock/Chor muang)

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, thus warning federal agencies that hackers are actively exploiting it to compromise devices without endpoint protection.

The vulnerability in question is an improper access control flaw first found in Apache Flink back in January 2021.

Apache Flink is an open source stream-processing framework developed and maintained by the Apache Software Foundation. It is designed to process large volumes of data in real time with low latency and high throughput.

A deadline for patching

The flaw is tracked as CVE-2020-17519. It was discovered in early January 2021, and was never given a specific severity score. 

Still, the Apache Software Foundation fixed it in a timely manner, by applying a fix. Vulnerable versions include Flink 1.11.0, 1.11.1, and 1.11.2. Fixed versions are 1.11.3, and 1.12.0. 

“A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process,” the Apache Software Foundation explained at the time. “Access is restricted to files accessible by the JobManager process.”

Adding the bug to the KEV, CISA also gave federal agencies a deadline by which they should either apply the patch, or stop using the vulnerable software altogether - June 13. Obviously, firms in the private sector should do the same, as hackers rarely skip a potential target, regardless of the industry it is in. 

Unfortunately, CISA did not share additional details about the vulnerability or its exploiters, so we don’t know who the threat actors are, or who the victims might be. We also don’t know how many firms may have been compromised this way already, or what the attackers are using it for. 

Via The Register

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
A person's fingers type at a keyboard, with a digital security screen with a lock on it overlaid.
Apache Foundation urges users to patch now and fix major security worries
The best free firewall
Palo Alto warns another major firewall hack has been detected
Representational image depecting cybersecurity protection
CISA says Oracle and Mitel have critical security flaws being exploited
Best free Linux firewalls
Fortinet warns a critical vulnerability in its systems could let attackers breach company networks
An image of network security icons for a network encircling a digital blue earth.
US government warns agencies to make sure their backups are safe from NAKIVO security issue
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
The Witcher 4
You're probably not playing The Witcher 4 until 2027 at the earliest, per CD Projekt's latest financial update
DeepSeek
DeepSeek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora